[sf-lug] The sky is [not] falling ... again (Re: Verifiably critical systemd vulnerability anyone?) ... CVE-2021-33910

Todd Hawley celticdm at gmail.com
Wed Jul 21 10:13:47 PDT 2021

On Tue, Jul 20, 2021 at 7:22 PM Michael Paoli <
Michael.Paoli at cal.berkeley.edu> wrote:

The more-or-less usual, and not a huge deal.
> Sure, not pretty, but ...
> Thus far appears it's "only" a DoS vulnerability, and
> requires local user to be able to run relatively arbitrary commands - or
> at least certain commands and using relatively arbitrarily long strings.
> And yes, it can - via our not-so-old frenemy systemd, crash the system
> by critically running the host out of memory.
> And yes, Qualsys found it and responsibly disclosed it.
> But their main article on it:
> https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/cve-2021-33910-denial-of-service-stack-exhaustion-in-systemd-pid-1
> surprise surprise ... not ... spends about 2/3 of it pushing ...
> of course Qualsys product(s) because, hey, they're a security products
> vendor.  So, "of course" if they can whip folks into a frenzied panic,
> and maybe also get 'em to buy more Qualsys security products ... uhm,
> do we see a problem here?  And unfortunately too many
> "journalists"/reporters
> buy the hype and run with stuff like "that's bad, that's really bad.",
> e.g.:
> https://www.zdnet.com/article/nasty-linux-systemd-security-bug-revealed/
> Sure, not pretty, kind'a embarrassing for systemd ... if systemd cares
> enough to be embarrassed.  But it's not *that* bad.  If one takes it in
> the context of all the damage a maliciously intended local user on a
> Linux host can cause ... yeah, crashing the host isn't that big a deal and
> probably fairly easy to do on most hosts that aren't fairly well hardened
> to thwart such relatively child's play level attacks from a local user
> that can run relatively arbitrary unprivileged commands.

I had to wonder when reading the original post, that how much of this was a
real "serious
problem" and how much of this was a vendor trying to hype their products. I
posts like this periodically on the list and while I appreciate hearing
about vulns, it seems like
generally these "news articles" are more about a vendor trying to hype
their products than
anything else. It's too bad the reporters don't see through the hype.
Thanks Michael for
setting us straight.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20210721/df92b685/attachment.html>

More information about the sf-lug mailing list